Main menu

Nine Questions about Hidden Services

This is an interview with a Tor developer who works on hidden services. Please note that Tor Browser and hidden services are two different things. Tor Browser (downloadable at TorProject.org) allows you to browse, or surf, the web, anonymously. A hidden service is a site you visit or a service you use that uses Tor technology to stay secure and, if the owner wishes, anonymous. The secure messaging app ricochet is an example of a hidden service. Tor developers use the terms "hidden services" and "onion services" interchangeably. 1. What are your priorities for onion services development? Personally I think it’s very important to work on the security of hidden services; that’s a big priority. The plan for the next generation of onion services includes enhanced security as well as improved performance. We’ve broken the development down into smaller modules and we’re already starting to build the foundation. The whole thing is a pretty insane engineering job.2. What don't people know about onion Services? Until earlier this year, hidden services were a labor of love that Tor developers did in their spare time. Now we have a very small group of developers, but in 2016 we want to move the engineering capacity a bit farther out. There is a lot of enthusiasm within Tor for hidden services but we need funding and more high level developers to build the next generation. 3. What are some of Tor's plans for mitigating attacks? The CMU attack was fundamentally a "guard node" attack; guard nodes are the first hop of a Tor circuit and hence the only part of the network that can see the real IP address of a hidden service. Last July we fixed the attack vector that CMU was using (it was called the RELAY_EARLY confirmation attack) and since then we've been divising improved designs for guard node security. For example, in the past, each onion service would have three guard nodes assigned to it. Since last September, each onion service only uses one guard node—-it exposes itself to fewer relays. This change alone makes an attack against an onion service much less likely. Several of our developers are thinking about how to do better guard node selection. One of us is writing code on this right now. We are modeling how onion services pick guard nodes currently, and we're simulating other ways to do it to see which one exposes itself to fewer relays—the fewer relays you are exposed to, the safer you are. We’ve also been working on other security things as well. For instance, a series of papers and talks have abused the directory system of hidden services to try to estimate the activity of particular hidden services, or to launch denial-of-service attacks against hidden services.We’re going to fix this by making it much harder for the attacker's nodes to become the responsible relay of a hidden service (say, catfacts) and be able to track uptime and usage information. We will use a "distributed random number generator"--many computers teaming up to generate a single, fresh unpredictable random number. Another important thing we're doing is to make it impossible for a directory service to harvest addresses in the new design. If you don't know a hidden service address, then under the new system, you won't find it out just by hosting its HSDir entry. There are also interesting performance things: We want to make .onion services scalable in large infrastructures like Facebook--we want high availability and better load balancing; we want to make it serious.[Load balancing distributes the traffic load of a website to multiple servers so that no one server gets overloaded with all the users. Overloaded servers stop responding and create other problems. An attack that purposely overloads a website to cause it to stop responding is called a Denial of Service (DoS) attack. - Kate] There are also onion services that don’t care to stay hidden, like Blockchain or Facebook; we can make those much faster, which is quite exciting. Meanwhile Nick is working on a new encryption design--magic circuit crypto that will make it harder to do active confirmation attacks. [Nick Mathewson is the co-founder of the Tor Project and the chief architect of our software.] Active confirmation attacks are much more powerful than passive attacks, and we can do a better job at defending against them. A particular type of confirmation attack that Nick's new crypto is going to solve is a "tagging attack"—Roger wrote a blog post about them years ago called, "One Cell Is Enough"—it was about how they work and how they are powerful. 4. Do you run an onion service yourself? Yes, I do run onion services; I run an onion services on every box I have. I connect to the PC in my house from anywhere in the world through SSH—I connect to my onion service instead of my house IP. People can see my laptop accessing Tor but don’t know who I am or where I go. Also, onion services have a property called NAT-punching; (NAT=Network Address Translation). NAT blocks incoming connections;it builds walls around you. Onion services have NAT punching and can penetrate a firewall. In my university campus, the firewall does not allow incoming connections to my SSH server, but with an onion service the firewall is irrelevant. 5. What is your favorite onion service that a nontechnical person might use? I use ricochet for my peer to peer chatting--It has a very nice UI and works well. 6. Do you think it’s safe to run an onion service? It depends on your adversary. I think onion services provide adequate security against most real life adversaries.However, if a serious and highly motivated adversary were after me, I would not rely solely on the security of onion services. If your adversary can wiretap the whole Western Internet, or has a million dollar budget, and you only depend on hidden services for your anonymity then you should probably up your game. You can add more layers of anonymity by buying the servers you host your hidden service on anonymously (e.g. with bitcoin) so that even if they deanonymize you, they can't get your identity from the server. Also studying and actually understanding the Tor protocol and its threat model is essential practice if you are defending against motivated adversaries.7. What onion services don’t exist yet that you would like to see? Onion services right now are super-volatile; they may appear for three months and then they disappear. For example, there was a Twitter clone, Tor statusnet; it was quite fun--small but cozy. The guy or girl who was running it couldn’t do it any longer. So, goodbye! It would be very nice to have a Twitter clone in onion services. Everyone would be anonymous. Short messages by anonymous people would be an interesting thing. I would like to see apps for mobile phones using onion services more—SnapChat over Tor, Tinder over Tor—using Orbot or whatever. A good search engine for onion services. This volatility comes down to not having a search engine—you could have a great service, but only 500 sketchoids on the Internet might know about it. Right now, hidden services are misty and hard to see, with the fog of war all around. A sophisticated search engine could highlight the nice things and the nice communities; those would get far more traffic and users and would stay up longer. The second question is how you make things. For many people, it’s not easy to set up an onion service. You have to open Tor, hack some configuration files, and there's more.We need a system where you double click, and bam, you have an onion service serving your blog. Griffin Boyce is developing a tool for this named Stormy. If we have a good search engine and a way for people to start up onion services easily, we will have a much nicer and more normal Internet in the onion space. 8. What is the biggest misconception about onion services? People don't realize how many use cases there are for onion services or the inventive ways that people are using them already. Only a few onion services ever become well known and usually for the wrong reasons.I think it ties back to the previous discussion--—the onion services we all enjoy have no way of getting to us. Right now, they are marooned on their island of hiddenness. 9. What is the biggest misconception about onion services development? It’s a big and complex project—it’s building a network inside a network; building a thing inside a thing. But we are a tiny team. We need the resources and person power to do it.

something is wrong with onion service , it is not so secure & safe that it claims it !
most of time, i cannot access at the onion site of my choice.
are the server compromised or is it prohibited from my isp / rogue-state_country ?
i do not know....

Great interview!
Bitsquare.io a decentralized Bitcoin-Fiat (or Bitcoin-Altcoin) exchange is using Tor Hidden Services as base for its P2P network (using a flooding algorithm). It is still under development but should be released in january.

'NumEntryGuards NUM' - where is the restriction for NUM be in 0...1??? Or you are just joking?! I don't believe network are turned to FORCE clients behavior and tor have some hidden ways to change clients configuration file. Consensus is just a recommendation.

There is trouble with comments because someone is spamming us with comments, and is filling up the database making it hard to spot valid comments and approve them.

I'm not sure what you mean by "guard node intrusion", but in general it's very hard to _completely stop_ guard node attacks in low-latency scenarios. This is because hidden services use long-term connections (that's how the web works) and hence they need to connect to a relay which learns their IP.

This is almost unavoidable with the current architecture of our onion routing. The question then becomes "how can we minimize the number of relays that get to see the IP of the hidden service". If we minimize this number, and assuming we have enough relays on the network, these attacks should be very unlikely. We are working on this these days!

Well, don't confuse the issue of safeing this blog against spammers (which the Project has stated is a low priority) with keeping Tor itself and TB and TM safe, which are completely different things. If you read this blog carefully over the next few months, you'll probably begin to understand why things are not nearly as bad as your first impression might have led you to believe.

Tor Project faces many threats from many determined and capable adversaries, but the core software (Tor itself) has many strengths and has proven amazingly resistant to all but a handful of known attacks. When effective attacks have come to light, the Project has almost always been able to fix them quickly. The ones it can't fix easily mostly involve things like PKI and rogue CAs which are too big for Tor Project to address alone, but even here the wider community is more and more determined to force internet vendors to fix these problems.

fter accessing some specific websites you can notice the search bar displays a plus sign green icon, if I click and add this engine to my Tor Browser, would it track and log every time I use the function? The search provider knows the user when the user added its search addons and by later changing the search code and the user dosen't add its new code. From the keywords you have seached by its addons which provides the specific code so the provider may get your important personal informations.

firefox feature. I never knew what that was. now i see, when i click it.
it looks like you can add a search engine to searchplugins in the profile directory (folder). if true, then the new search plugin will be a new xml file, which you can read and edit with text editor.

> the new search plugin will be a new xml file, which you can read and edit with text editor.

What worries some users is the possibility that website operators might be able to exploit a vulnerability in FF (which might also be present in TB) to also read and edit, and perhaps to recover a web-surfing log of the current TB instance.

This is probably less likely with Tails, but in the absence of informed comment I worry that it could be problem for TB.

> I don't see how adding another search option has anything to do with keeping a websurfing log.

I've noticed that some websites seem able to fiddle with TB to set their favorite search engine (e.g. the duckduckgo icon appears) and that worries me. (It's not the choice of search engine which worries me, it's the impression that the website can reset at least some TB settings.)

i believe it is as simple as :
1)get hardware
2)install/load (as example) freebsd in memory (use your notebook etc)
3)fill disk(s) with random data (if you need permanent storage)
4)encrypt full disk(s) with geli
^ one time only steps ^
5)install virtualbox
6)create firewall-vm, tor-vm, blogging.platform-vm
for more details use your brain and enjoy
hard reset and there are only disks with random data...
(just one small problem with geli and freebsd.apple ...)
all steps needed to reboot can/should be scripted.
as you are the only person who knows the passphrase and has the key file for geli nobody but you can reactivate this platform.

Assuming you are both talking about what I know as VPNs, these can be useful, but when it comes to cybersecurity, there are no magic bullets. You may want to look up NSA/ANT's FEEDTROUGH malware targeting VPNs using commercial devices sold by Juniper, which may well be the "unauthorized code" discussed in this story:

> An operating system used to manage firewalls sold by Juniper Networks contains unauthorized code that surreptitiously decrypts traffic sent through virtual private networks, officials from the company warned Thursday.

Is there a way to donate directly to the hidden services development team?

If theres one thing the recent terror attacks in paris have shown us, its that the big bad fearsome five eyes are completely impotent to track known terrorists over unencrypted channels much less crack Tor. Hell even the FBI went to a university for help, not the NSA with its multibillion dollar budget and unfettered access to all the worlds communication lines, no, a university whose budget is 1/1000th of that with access to nothing.

Is bombing foreign houses from air not a terrorists' action? And who sells you pr about five eyes tracking terrorists they are tracking you and only you... and why do you think paris gov in first place decide to participate in air bombing? Isn't it because some paris politicians have been blackmailed by nsa agents? Someone believes info in dbs selfdestructing the moment he/she became politician...
How much money do you think domestic agencies will get tomorrow for spying on locals? Guess who is getting benifits from this accident.

hmm...now the price of the apartment in paris will decrease like after the 11th at ny.
but who was the target at ny and paris -except this supposed economic trick- ?
it was not hillary (so it happened with her agreement) it is not holland or the mayor of paris (so it happened with their agreement) ...

> Isn't it because some paris politicians have been blackmailed by nsa agents?

Don't know, but USIC agencies such as CIA have for decades used the illegal fruits of NSA targeted surveillance to bribe not just French, German, Pakistani politicians, etc, etc., but also American politicians.

In past decades, US Presidents sometimes decided that using NSA surveillance for political purposes was beyond the pale, but the last President who felt that way may have been Lyndon Johnson. I recall an incident which a occurred a few days before Nixon's electoral victory. NSA brought Johnson intercepts proving that Nixon, with the connivance of the socialite and conservative political operative Anna Chennault (widow of Flying Tigers general Claire Chennault), had been conspiring with the North Vietnamese, a nation with which the US was then in a state of undeclared war, to ensure the defeat of the Democratic candidate. So Johnson had been handed proof that probably could have been used to convict Nixon of treason, a capital crime. Johnson wrote a blistering personal letter to Nixon, but decided it would be improper to disclose the intercepts.

I wish current political leaders understood that good intentions do not justify illegal actions, that one traitorous act (Nixon's) cannot be used to justify another.

OH MY GOD! THAT MEANS IF A GOVERNMENT DOES NOT LIKE WHO YOU ARE REGARDLESS OF YOU BEING A CRIMINAL, THEY WILL ELIMINATE YOU! OH MY GOD! REMEMBER NAZI GERMANY ELIMINATING ALL THE NON-CRIMINAL JEWS? THINK OF THIS WITH REGARD TO METADATA TODAY...

Your link does not learn us nothing more we do know yet since a long time : an ( us ) citizen does not exist in the usa and for the usa.
We are a coin, a billet , a market, a network where every hand, word, fingerprint become a link and all these links are the way (your genuine and private life) to make money ; you create your life and they collect the result ... before you if they know how, who, why ...
Their job is the same than the bank do , the reason is they do want LIKE YOU a very good standing without sharing.

*i will add that i should appreciate that you stop trolling with irrelevant arguments mixing false opinion and hateful propaganda. _ REMEMBER NAZI GERMANY ELIMINATING ALL THE NON-CRIMINAL JEWS? _ lol ,

It's YOU who knows but not millions of dumb internet walkers. And how many anti-troll comments you have writen to pr news agencies which told the same things all the time? Don't try to shut up his mouth nobody will try to shut up yours.

Recent Updates

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.0.1-alpha from the usual place on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely by the end of the month.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.4.0.1-alpha is the first release in the new 0.4.0.x series. It introduces improved features for power and bandwidth conservation, more accurate reporting of bootstrap progress for user interfaces, and an experimental backend for an exciting new adaptive padding feature. There is also the usual assortment of bugfixes and minor features, all described below.

Changes in version 0.4.0.1-alpha - 2019-01-18

Major features (battery management, client, dormant mode):

When Tor is running as a client, and it is unused for a long time, it can now enter a "dormant" state. When Tor is dormant, it avoids network and CPU activity until it is reawoken either by a user request or by a controller command. For more information, see the configuration options starting with "Dormant". Implements tickets 2149 and 28335.

The client's memory of whether it is "dormant", and how long it has spent idle, persists across invocations. Implements ticket 28624.

There is a DormantOnFirstStartup option that integrators can use if they expect that in many cases, Tor will be installed but not used.

Major features (bootstrap reporting):

When reporting bootstrap progress, report the first connection uniformly, regardless of whether it's a connection for building application circuits. This allows finer-grained reporting of early progress than previously possible, with the improvements of ticket 27169. Closes tickets 27167 and 27103. Addresses ticket 27308.

When reporting bootstrap progress, treat connecting to a proxy or pluggable transport as separate from having successfully used that proxy or pluggable transport to connect to a relay. Closes tickets 27100 and 28884.

Tor 0.3.5.7 is the first stable release in its series; it includes compilation and portability fixes, and a fix for a severe problem affecting directory caches. Tor 0.3.4.10 and 0.3.3.11 are also released today; please see the official announcements for those releases if you are tracking older stable versions.

The Tor 0.3.5 series includes several new features and performance improvements, including client authorization for v3 onion services, cleanups to bootstrap reporting, support for improved bandwidth- measurement tools, experimental support for NSS in place of OpenSSL, and much more. It also begins a full reorganization of Tor's code layout, for improved modularity and maintainability in the future. Finally, there is the usual set of performance improvements and bugfixes that we try to do in every release series.

There are a couple of changes in the 0.3.5 that may affect compatibility. First, the default version for newly created onion services is now v3. Use the HiddenServiceVersion option if you want to override this. Second, some log messages related to bootstrapping have changed; if you use stem, you may need to update to the latest version so it will recognize them.

We have designated 0.3.5 as a "long-term support" (LTS) series: we will continue to patch major bugs in typical configurations of 0.3.5 until at least 1 Feb 2022. (We do not plan to provide long-term support for embedding, Rust support, NSS support, running a directory authority, or unsupported platforms. For these, you will need to stick with the latest stable release.)

Below are the changes since 0.3.5.6-rc. For a complete list of changes since 0.3.4.9, see the ReleaseNotes file.

Changes in version 0.3.5.7 - 2019-01-07

Major bugfixes (relay, directory):

Always reactivate linked connections in the main loop so long as any linked connection has been active. Previously, connections serving directory information wouldn't get reactivated after the first chunk of data was sent (usually 32KB), which would prevent clients from bootstrapping. Fixes bug 28912; bugfix on 0.3.4.1-alpha. Patch by "cypherpunks3".